Why Zero Trust Network Access is Necessary for Third-party and Contractor Access
Traditional access control systems were designed for employees on managed devices. Today’s blended workforces, however, force administrators to manage a shifting mix of employees and contractors who could be anywhere in the world. Securing contractor access is a particular concern for DevOps teams. Supply chain attacks are accelerating which makes developers primary targets for credential theft.
We will look at why cybercriminals are ramping up supply chain attacks, how credential theft puts DevOps teams at risk, and how legacy VPN technologies make the situation worse. Fortunately, the modern approach of Zero Trust Network Access (ZTNA) offers a path to better access and better security.
Compromising an IT supply chain lets hackers attack hundreds or thousands of organizations by using malicious code to open backdoors into their victims’ networks. Once in, the hackers use lateral movement techniques to expand their foothold and plan the next phase of the attack.
This multiplier effect drove a 300% increase in supply chain attacks in 2021 alone. Some of the highest-profile supply chain attacks of recent years include:
SolarWinds (2020) - State-sponsored hackers gained access to SolarWinds’ network management software, potentially gaining access to more than 18,000 organizations, including US federal agencies. The resulting cleanup costs may have exceeded $100 billion.
Kaseya (2021) - Another network management software developer, Kaseya, was breached a year later letting hackers penetrate networks at hundreds of small and medium-sized businesses. The resulting ransomware demands ranged from $45,000 to as much as $11 million.
Although some supply chain attacks, such as Kaseya, begin with technical vulnerabilities, many start with stolen credentials. Compromised Office365 accounts gave hackers their first entry into SolarWinds’ networks. Stolen credentials are nothing new — IBM reports that compromised accounts are the most common vector for cyberattacks in general. But access to a company’s codebase makes developers’ credentials juicy targets.
This is where today’s software development workforces make things complicated. Developers could be employees or contractors. They could work from a managed device or a personal device. They could be in the office or at home or at a coffee shop anywhere in the world. This flexibility lets businesses attract the best talent. But it makes network security extremely complex — especially with the weaknesses of technologies like VPN.
Integrated into the physical and logical network architecture, these technologies were designed at a time when networks were more centralized and controlled. Today’s decentralized, cloud environments push these legacy technologies to their breaking point.
For example, giving contractors remote access through VPN increases security risks. VPN was created to give access to entire networks — and it still does. Letting contractors through a VPN gateway gives them access to any resource and service on that network. Should hackers compromise contractor credentials or devices, they get the same freedom of movement.
Micro-segmentation can mitigate VPN’s weaknesses. But sub-divided networks are expensive and difficult to manage. In addition, every change to any user’s access permissions requires updates and synchronization across the network. Micro-segmentation simply is not compatible with large, dynamic development teams.
A modern network access approach makes micro-segmentation simple to implement and manage. ZTNA uses the principle of least privilege to provide granular control over resource access. Typically, a contractor only needs to use a few specific resources. Policies based on least privilege give contractors the access they need while blocking them from anything else.
ZTNA systems decouple access control from the physical network which makes managing contractors much easier. When administrators update a user’s permissions, the changes go into effect immediately without impacting the network.
ZTNA’s advantages over VPN do not stop there. Legacy technologies require separate systems to manage on-premises access and remote access to private networks. Each cloud platform and service has its own VPN technology. ZTNA replaces these redundant systems with a universal solution that applies consistent secure access policies to all users, resources, and networks.
With more control and simpler administration, ZTNA helps protect a company’s own codebase from direct attack. But the company has no control over the security of its IT supply chain. As we’ve seen, even the largest providers are vulnerable to attack. Dependencies based on under-supported open-source projects further expand supply chain risk.
“Shifting left” to bring supply chain security into DevOps earlier can help. So can layered defenses such as software composition analysis (SCA) and software bill of materials (SBOM). But what happens when these defenses fail?
Zero Trust is based on a fundamental assumption that failure isn’t just an option — it’s already happened. Assuming breaches have already happened shapes every part of a Zero Trust system.
ZTNA solutions deploy proxies in front of each protected resource. These proxies do not broadcast their locations and ignore all incoming requests, effectively rendering the protected resources invisible on any network, private or public.
ZTNA requires every user to authenticate any time they request access. This is true no matter who the user is or where they are connecting from. Executives, managers, developers, and contractors must all verify their identities before the ZTNA system will grant them access.
Zero Trust authentication requires more than identity verification. Everything from the time of day to the user’s location or the source network must be considered. Twingate’s ZTNA solution, for example, lets companies control access based on device security posture factors including:
- Operating system
- Hard drive encryption
- Screen lock
Even when authenticated based on identity and context, the user does not get direct access to the protected resource. Instead, the ZTNA system facilitates an encrypted tunnel between a proxy client on the user’s device and the proxy protecting the resource. All information about the resource proxy disappears once the session ends. A new session must go through the ZTNA system — with another round of authentication.
Session-by-session authentication and one-to-one proxied tunnels let companies implement role-based policies that provide granular control over resource access.
Explicit verification with each connection request, proxied encrypted tunnels, and granular least-privileged access controls limit the impact of supply chain attacks. Hackers may gain access to one resource, but they cannot see other resources or networks. As a result, ZTNA neutralizes lateral movement techniques and significantly reduces the attack’s blast radius.
Migrating from decades-old network access technologies to a modern Zero Trust solution does not have to disrupt your organization. ZTNA best practices encourage you to start small and expand in stages.
Third-party access is one of the best places to start. Nothing changes for other users during this first stage. ZTNA solutions like Twingate require no changes to your existing network or resources. And moving contractors from the old VPN system to your Twingate ZTNA solution delivers instant results:
- Contractors lose access to most networks and resources.
- Contractors keep access to the resources they do need.
- Administration is easier since access is not tied to the network.
- Contractors’ experience improves without the headaches of VPN.
Starting with contractors makes selling ZTNA to your remote DevOps employees much easier. They will have seen first-hand how much better the ZTNA experience is than the old VPN system. Your on-premises team members may even start asking when they can join the project.
These early successes reinforce executive commitment and increase stakeholder support as your ZTNA rollout extends beyond DevOps to Finance and other high-priority teams.
Whether your company is the primary target or a means to an end, supply chain attacks have put your developer teams in cybercriminals’ sights. SCA, SBOMs, and other defensive layers can keep the threat at bay, but they are not enough. VPN and similar legacy technologies simply cannot handle today’s distributed networks and workforces.
Twingate’s modern Zero Trust solution assumes that breaches have already happened. Every request must be challenged, every identity verified, and context variables such as device posture evaluated. Only then can access policies based on the principle of least privilege go into effect. Twingate makes managing contractor access simpler and more convenient while significantly reducing your attack surface and limiting the blast radius of supply chain attacks.
Try our free Standard plan for individuals and small teams to see for yourself how easy Zero Trust can be. Or contact us to learn more about protecting your company from the growing wave of supply chain attacks.